Mobile Security: A Moving Target

Mobile security needs must be balanced against the needs of users. Customers "want the freedom to procure apps from a variety of sources without imposing a platform requirement."
Users "won't accept some of the more traditional, centralized, IT-driven control, device restrictions, and IT oversight of the past," said Jeremy Stieglitz, vice president of Voltage Security.

By Richard Adhikari
Oct 2, 2012 5:00 AM PT

The threat to enterprise security is increasing as the
BYOD phenomenon gains ground in corporate America.

The amount of Android malware out there has gone through the roof, and hackers are leveraging Twitter to create command and control servers for mobile botnets, according to
McAfee's Q2, 2012 threats report.

Existing approaches to security don't work well, and new solutions are required.

"The most important difference between [mobile devices] and traditional endpoints is that people view them as joint personal and business devices," Martin Ward, McAfee's senior director of endpoint security product marketing, told TechNewsWorld. "That creates the need for a different approach to security."

Stumbling Toward the New Security

It's not enough to just secure enterprise applications; businesses must now be able to manage the devices users bring in and the data on those devices.

That has given rise to two new fields, mobile device management and mobile application management.

MDM lets enterprises secure, manage and support mobile devices in their infrastructure. It allows for over-the-air distribution of apps, data and configuration settings, and control and protect the data and the configuration settings.

MAM allows the faster, simpler creation of in-house enterprise mobile apps. It also lets users deploy and manage both in-house and commercially available business apps.

Separating Corporate and User Data

MDM and MAM are important parts of a mobile security setup, but perhaps even more important is the separation of corporate and user data. Efforts in that regard haven't been very successful.

"MDM solves part of the problem, but really does nothing to protect the data itself," Jeremy Stieglitz, vice president of business development at
Voltage Security, told TechNewsWorld.

"So far, the approach to keep corporate and user data separate has been to pour concrete on the device and say good luck to the end user," Alan Murray, senior vice president of product at
Apperian, remarked. "Decent solutions in the past have focused on BlackBerry and that race is over."

Rim's
Mobile Fusion technology includes BlackBerry Balance, software that creates a secure
AES 256-bit encrypted file system for business data so owners can use their devices at work and in their personal lives. However, BlackBerry maker Research In Motion is hemorrhaging market share and is no longer considered a real player in the smartphone market.

"iOS and Android are clearly [users'] first picks," Murray said. "There are no native solutions for [separating business and personal data] on either platform."

Going Beyond MDM

Additionally, MDM solutions don't generally address cases where users have emails and attachments in their inbox on a server in the cloud, Stieglitz said. "At best, if it has a container, it can provide isolated security protection inside the container, but what about the data on the server, or data pushed to public clouds? What about a reply to a third party? What about when it's transmitted to another non-MDM user?"

Putting apps in a container has other problems, Apperian's Murray told TechNewsWorld. "All apps must now build to the same least common denominator, and this has a direct impact on use, adoption and, ultimately, ROI."

Further, third-party devs may lack the skills for, or access to, the platform the enterprise is using internally, which "represents a technical tax to the enterprise," Murray pointed out.

Also, customers "want the freedom to procure apps from a variety of sources without imposing a platform requirement."

Users "won't accept some of the more traditional, centralized, IT-driven control, device restrictions, and IT oversight of the past," Voltage's Stieglitz suggested. This new democratic approach "paves the way for more data-centric approaches that let IT control sensitive data at the data level, across the new, expanding set of devices and apps users are bringing into the enterprise."

Many Hands Make Security Light Work

These issues have led mobile security vendors to strike up partnerships in order to offer more well-rounded solutions.

For example, Voltage has set up an alliance program that brings together players in the MDM, MAM and data loss prevention areas.

EASE makes for easy creation of in-house enterprise apps. MAP lets IT wrap pre-configured policies on its server around those apps, providing fine-grained application-level security. Existing apps can be so wrapped without accessing their original source code.

"The idea is that [the security] is specific for an app and for specific users of that app," Carlos Montero-Luque, Apperian's chief technology officer, told TechNewsWorld.

The policies are complementary to any other policies, at the enterprise, network or device level, Montero-Luque said.

"We see the need to segment the data to enable businesses to protect only the data they deem critical," McAfee's Ward remarked. The mobile security market "is still in its infancy, [and] we do see [it] evolving rapidly."